Oopsies: Mass. General worker loses confidential patient data on the Red Line
By adamg - 3/24/09 - 7:02 am
The Globe reports on the loss of data on 66 patients who'd been seen at an infectious-diseases clinic:
According to hospital security reports, a manager in the infectious disease center's billing unit told supervisors that she left the paperwork on a Red Line train the morning of March 9. The manager said she had brought the paperwork home with her to work over the weekend and left the material sometime between 7:30 and 9 a.m. The Transit Police were notified, but the paperwork was not found.
The incident makes Tinker Ready wonder if maybe the T needs a new announcement when a train pulls into a station.
Comments
Company policy
This is why, where I work, staff are not allowed to take files containing confidential information home with them, nor are they allowed to work remotely.
Exactly!
I used to go through medical records and extract information for epidemiologic studies. I was never allowed to leave the oncology suite with any of the records that I had. I was prohibited from photocopying anything, unless I got one of the records staff do do it for me.
There were some really good reasons for this - people came to visit from all over the northern hemisphere for limb-sparing bone cancer treatment. Some of them were quite famous.
This was at Mass General in 1993-1996. I'm surprised that they changed their policies - either that, or somebody didn't think or ignored the policy.
Gonna blog about this when I have more time, but...
HIPAA doesn't actually forbid taking confidential information out of buildings, like many of the commenters on the Glob site are saying. It prohibits taking ORIGINAL MEDICAL RECORDS out of a building (unless like you're moving an office and you have a plan in place to move them of course). Someone mentioned signing out records; it's standard practice to sign a log if removing something from a record, and you generally wouldn't be taking it out of the building.
But a billing printout isn't part of a patient's medical record. It's confidential information under HIPAA, yes, but it's not part of a medical record. There's a distinction. HIPAA says it's fine to work at home, but that precautions need to be taken. It doesn't say how to take these. I've worked at many places where one is allowed to take paperwork home (but never take an original document that isn't backed up somehow out of a medical record). This is pretty standard practice. Also, when someone is on-call and is at home, they need to have access to basic history of people about whom they may be receiving calls. Not everywhere can have fancy electronic systems, so most smaller programs have a binder that the on-call person takes home. S/he needs to be careful with it, yes, but human error does happen.
Also, many places that are subject to HIPAA do home visits or assessments in schools or other places. I currently work somewhere where we do a lot of home visits. We have confidential information with us. I have a grid of my clients' names and addresses and DOBs and phone numbers in my day planner, and I have progress notes and testing data with me at the end of the day that I need to take back and put into the medical record. All of this is acceptable practice. I take precautions to not leave my bag anywhere, but my car or my house could get broken into. If this happened, I'm sure there would be all sorts of uninformed people saying I shouldn't have been allowed to take this information out of the building, but then we wouldn't be able to provide in-home services, or observe kids at daycare, or any number of other clinically necessary services.
HIPAA doesn't guarantee that no medical records will ever be wrongly released anywhere ever. It guarantees that reasonable precautions will be taken. There's no evidence that they weren't in this situation. We're not about to send armed bodyguards out with people any time confidential information is being transported.
I hope that manager is ready
I hope that manager is ready for all the lawsuits that will be personally filed against her. Can you say 'HIPAA violation'